A Taxonomy of Functional Security Features and How They Can Be Located
Security must be considered in almost every software system. Unfortunately, selecting and implementing security features remains challenging due to the variety of security threats and possible countermeasures. While security standards are intended to help developers, they are usually too abstract an...
Gespeichert in:
| Hauptverfasser: | , , , , , , , , |
|---|---|
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext bestellen |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | |
|---|---|
| container_issue | |
| container_start_page | |
| container_title | |
| container_volume | |
| creator | Hermann, Kevin Schneider, Simon Tony, Catherine Yardim, Asli Peldszus, Sven Berger, Thorsten Scandariato, Riccardo Sasse, M. Angela Naiakshina, Alena |
| description | Security must be considered in almost every software system. Unfortunately,
selecting and implementing security features remains challenging due to the
variety of security threats and possible countermeasures. While security
standards are intended to help developers, they are usually too abstract and
vague to help implement security features, or they merely help configure such.
A resource that describes security features at an abstraction level between
high-level (i.e., rather too general) and low-level (i.e., rather too specific)
security standards could facilitate secure systems development. To realize
security features, developers typically use external security frameworks, to
minimize implementation mistakes. Even then, developers still make mistakes,
often resulting in security vulnerabilities. When security incidents occur or
the system needs to be audited or maintained, it is essential to know the
implemented security features and, more importantly, where they are located.
This task, commonly referred to as feature location, is often tedious and
error-prone. Therefore, we have to support long-term tracking of implemented
security features.
We present a study of security features in the literature and their coverage
in popular security frameworks. We contribute (1) a taxonomy of 68 functional
implementation-level security features including a mapping to widely used
security standards, (2) an examination of 21 popular security frameworks
concerning which of these security features they provide, and (3) a discussion
on the representation of security features in source code. Our taxonomy aims to
aid developers in selecting appropriate security features and frameworks and
relating them to security standards when they need to choose and implement
security features for a software system. |
| doi_str_mv | 10.48550/arxiv.2501.04454 |
| format | Article |
| fullrecord | <record><control><sourceid>arxiv_GOX</sourceid><recordid>TN_cdi_arxiv_primary_2501_04454</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2501_04454</sourcerecordid><originalsourceid>FETCH-arxiv_primary_2501_044543</originalsourceid><addsrcrecordid>eNqFzbEKwjAUQNEsDqJ-gJPvB6ypTcBVi6GDm9nDo33FQJtImmrz92Jxd7rLhcPYNueZOEnJDxgm-8qOkucZF0KKJVNn0Dh55_sEvgU1ujpa77CDO9VjsDGBIoxjoAHQNVD5N-gHJSjRwYXg5muM1KzZosVuoM2vK7ZTV11W-1k0z2B7DMl8ZTPLxf_jA-0vN7Q</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>A Taxonomy of Functional Security Features and How They Can Be Located</title><source>arXiv.org</source><creator>Hermann, Kevin ; Schneider, Simon ; Tony, Catherine ; Yardim, Asli ; Peldszus, Sven ; Berger, Thorsten ; Scandariato, Riccardo ; Sasse, M. Angela ; Naiakshina, Alena</creator><creatorcontrib>Hermann, Kevin ; Schneider, Simon ; Tony, Catherine ; Yardim, Asli ; Peldszus, Sven ; Berger, Thorsten ; Scandariato, Riccardo ; Sasse, M. Angela ; Naiakshina, Alena</creatorcontrib><description>Security must be considered in almost every software system. Unfortunately,
selecting and implementing security features remains challenging due to the
variety of security threats and possible countermeasures. While security
standards are intended to help developers, they are usually too abstract and
vague to help implement security features, or they merely help configure such.
A resource that describes security features at an abstraction level between
high-level (i.e., rather too general) and low-level (i.e., rather too specific)
security standards could facilitate secure systems development. To realize
security features, developers typically use external security frameworks, to
minimize implementation mistakes. Even then, developers still make mistakes,
often resulting in security vulnerabilities. When security incidents occur or
the system needs to be audited or maintained, it is essential to know the
implemented security features and, more importantly, where they are located.
This task, commonly referred to as feature location, is often tedious and
error-prone. Therefore, we have to support long-term tracking of implemented
security features.
We present a study of security features in the literature and their coverage
in popular security frameworks. We contribute (1) a taxonomy of 68 functional
implementation-level security features including a mapping to widely used
security standards, (2) an examination of 21 popular security frameworks
concerning which of these security features they provide, and (3) a discussion
on the representation of security features in source code. Our taxonomy aims to
aid developers in selecting appropriate security features and frameworks and
relating them to security standards when they need to choose and implement
security features for a software system.</description><identifier>DOI: 10.48550/arxiv.2501.04454</identifier><language>eng</language><subject>Computer Science - Cryptography and Security ; Computer Science - Software Engineering</subject><creationdate>2025-01</creationdate><rights>http://arxiv.org/licenses/nonexclusive-distrib/1.0</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>228,230,776,881</link.rule.ids><linktorsrc>$$Uhttps://arxiv.org/abs/2501.04454$$EView_record_in_Cornell_University$$FView_record_in_$$GCornell_University$$Hfree_for_read</linktorsrc><backlink>$$Uhttps://doi.org/10.48550/arXiv.2501.04454$$DView paper in arXiv$$Hfree_for_read</backlink></links><search><creatorcontrib>Hermann, Kevin</creatorcontrib><creatorcontrib>Schneider, Simon</creatorcontrib><creatorcontrib>Tony, Catherine</creatorcontrib><creatorcontrib>Yardim, Asli</creatorcontrib><creatorcontrib>Peldszus, Sven</creatorcontrib><creatorcontrib>Berger, Thorsten</creatorcontrib><creatorcontrib>Scandariato, Riccardo</creatorcontrib><creatorcontrib>Sasse, M. Angela</creatorcontrib><creatorcontrib>Naiakshina, Alena</creatorcontrib><title>A Taxonomy of Functional Security Features and How They Can Be Located</title><description>Security must be considered in almost every software system. Unfortunately,
selecting and implementing security features remains challenging due to the
variety of security threats and possible countermeasures. While security
standards are intended to help developers, they are usually too abstract and
vague to help implement security features, or they merely help configure such.
A resource that describes security features at an abstraction level between
high-level (i.e., rather too general) and low-level (i.e., rather too specific)
security standards could facilitate secure systems development. To realize
security features, developers typically use external security frameworks, to
minimize implementation mistakes. Even then, developers still make mistakes,
often resulting in security vulnerabilities. When security incidents occur or
the system needs to be audited or maintained, it is essential to know the
implemented security features and, more importantly, where they are located.
This task, commonly referred to as feature location, is often tedious and
error-prone. Therefore, we have to support long-term tracking of implemented
security features.
We present a study of security features in the literature and their coverage
in popular security frameworks. We contribute (1) a taxonomy of 68 functional
implementation-level security features including a mapping to widely used
security standards, (2) an examination of 21 popular security frameworks
concerning which of these security features they provide, and (3) a discussion
on the representation of security features in source code. Our taxonomy aims to
aid developers in selecting appropriate security features and frameworks and
relating them to security standards when they need to choose and implement
security features for a software system.</description><subject>Computer Science - Cryptography and Security</subject><subject>Computer Science - Software Engineering</subject><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2025</creationdate><recordtype>article</recordtype><sourceid>GOX</sourceid><recordid>eNqFzbEKwjAUQNEsDqJ-gJPvB6ypTcBVi6GDm9nDo33FQJtImmrz92Jxd7rLhcPYNueZOEnJDxgm-8qOkucZF0KKJVNn0Dh55_sEvgU1ujpa77CDO9VjsDGBIoxjoAHQNVD5N-gHJSjRwYXg5muM1KzZosVuoM2vK7ZTV11W-1k0z2B7DMl8ZTPLxf_jA-0vN7Q</recordid><startdate>20250108</startdate><enddate>20250108</enddate><creator>Hermann, Kevin</creator><creator>Schneider, Simon</creator><creator>Tony, Catherine</creator><creator>Yardim, Asli</creator><creator>Peldszus, Sven</creator><creator>Berger, Thorsten</creator><creator>Scandariato, Riccardo</creator><creator>Sasse, M. Angela</creator><creator>Naiakshina, Alena</creator><scope>AKY</scope><scope>GOX</scope></search><sort><creationdate>20250108</creationdate><title>A Taxonomy of Functional Security Features and How They Can Be Located</title><author>Hermann, Kevin ; Schneider, Simon ; Tony, Catherine ; Yardim, Asli ; Peldszus, Sven ; Berger, Thorsten ; Scandariato, Riccardo ; Sasse, M. Angela ; Naiakshina, Alena</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-arxiv_primary_2501_044543</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2025</creationdate><topic>Computer Science - Cryptography and Security</topic><topic>Computer Science - Software Engineering</topic><toplevel>online_resources</toplevel><creatorcontrib>Hermann, Kevin</creatorcontrib><creatorcontrib>Schneider, Simon</creatorcontrib><creatorcontrib>Tony, Catherine</creatorcontrib><creatorcontrib>Yardim, Asli</creatorcontrib><creatorcontrib>Peldszus, Sven</creatorcontrib><creatorcontrib>Berger, Thorsten</creatorcontrib><creatorcontrib>Scandariato, Riccardo</creatorcontrib><creatorcontrib>Sasse, M. Angela</creatorcontrib><creatorcontrib>Naiakshina, Alena</creatorcontrib><collection>arXiv Computer Science</collection><collection>arXiv.org</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Hermann, Kevin</au><au>Schneider, Simon</au><au>Tony, Catherine</au><au>Yardim, Asli</au><au>Peldszus, Sven</au><au>Berger, Thorsten</au><au>Scandariato, Riccardo</au><au>Sasse, M. Angela</au><au>Naiakshina, Alena</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>A Taxonomy of Functional Security Features and How They Can Be Located</atitle><date>2025-01-08</date><risdate>2025</risdate><abstract>Security must be considered in almost every software system. Unfortunately,
selecting and implementing security features remains challenging due to the
variety of security threats and possible countermeasures. While security
standards are intended to help developers, they are usually too abstract and
vague to help implement security features, or they merely help configure such.
A resource that describes security features at an abstraction level between
high-level (i.e., rather too general) and low-level (i.e., rather too specific)
security standards could facilitate secure systems development. To realize
security features, developers typically use external security frameworks, to
minimize implementation mistakes. Even then, developers still make mistakes,
often resulting in security vulnerabilities. When security incidents occur or
the system needs to be audited or maintained, it is essential to know the
implemented security features and, more importantly, where they are located.
This task, commonly referred to as feature location, is often tedious and
error-prone. Therefore, we have to support long-term tracking of implemented
security features.
We present a study of security features in the literature and their coverage
in popular security frameworks. We contribute (1) a taxonomy of 68 functional
implementation-level security features including a mapping to widely used
security standards, (2) an examination of 21 popular security frameworks
concerning which of these security features they provide, and (3) a discussion
on the representation of security features in source code. Our taxonomy aims to
aid developers in selecting appropriate security features and frameworks and
relating them to security standards when they need to choose and implement
security features for a software system.</abstract><doi>10.48550/arxiv.2501.04454</doi><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext_linktorsrc |
| identifier | DOI: 10.48550/arxiv.2501.04454 |
| ispartof | |
| issn | |
| language | eng |
| recordid | cdi_arxiv_primary_2501_04454 |
| source | arXiv.org |
| subjects | Computer Science - Cryptography and Security Computer Science - Software Engineering |
| title | A Taxonomy of Functional Security Features and How They Can Be Located |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-06T13%3A56%3A26IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-arxiv_GOX&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=A%20Taxonomy%20of%20Functional%20Security%20Features%20and%20How%20They%20Can%20Be%20Located&rft.au=Hermann,%20Kevin&rft.date=2025-01-08&rft_id=info:doi/10.48550/arxiv.2501.04454&rft_dat=%3Carxiv_GOX%3E2501_04454%3C/arxiv_GOX%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true |